[Openswan Users] [Announce] openswan-2.6.20 released

Paul Wouters paul at xelerance.com
Tue Feb 10 00:23:38 EST 2009

Xelerance has (finally)released openswan 2.6.20.


This is a major bugfix release.

As always, please use http://bugs.openswan.org/ to report bugs, or
discuss issues on users at openswan.org or dev at openswan.org. Or linger
at FreeNode's #openswan / #openswan-dev

Note that this does not yet fix L2TP (http://bugs.xelerance.com/view.php?id=1004)

This release also does not yet contain the new NAT-T code that does not
require a kernel recompile. That code still needs merging in, but you
can find it at: http://www.openswan.org/download/testing/nat-t/

Thanks to the many contributors of this release!

>From the CHANGES file:

* Added support for USE_NSS (default false) [Avesh Agarwal]
* USE_IPSEC_CONNECTION_LIMIT (default false) support for those who have to
   deal with export restrictions [David]
* Added "metric=" keyword to the conn section to allow host failover
   from another interface to ipsec using route management. [David]
* Split crypto calls off into liboswcrypto for easier FIPS handling [David]
* Fix sprintf warning in init_crypto_helper [Owen Jacobson]
* KLIPS could not be unloaded (requires updated nat-t patch) [David]
* Fix crasher with disassociated pending (async) crypto requests [David]
* Make pluto more verbose on aborting for embedded systems [David]
* Fix for ipsec_kversion.h on kernels > 2.6.22 non-RHEL/SLE [David]
* New parser was missing keep_alive= and force_keepalive= options [Paul]
* Fix for ipsec whack --listevents [Shingo Yamawaki]
* Fix compiling without OCF [David]
* Fix for using kernel cryptoapi algs causing bad packets [David]
* Fix ESP+IPCOMP processing [David]
* Only calculate (expensive) irs->sa_len when debug is enabled [David]
* Repaired missing code responsible for sending IPCOMP request to peer [David]
* Make sure we only set NEXT_NONE on the last VID entry that we add [David]
* Fix NETKEY with transport mode and NAT-T [Paul]
   (does not yet fully fix bug #1004, as the wrong IP (inside vs outsid)
    is used in the policy)
* Fix for KLIPS with NAT-t so decrypted packets do not appear to come
   from the hardcoded ipsec0 interface [Hiren Joshi]
* Send the remote host address to PAM during XAUTH so that it may be used
   for better logging/authentication purposes at the PAM end. [Ken Wilson]
* Using Main and Aggressive mode could pick the wrong policy and fail [David]
* Fix for main_inI2_outR2_tail() when compiled without DEBUG [Shingo Yamawaki]
* Fix for bogus "discarding packet received during asynchronous work
   (DNS or crypto)". We were queueing/dropping packets that were needed to
   get the tunnel going [David]
* The pluto event loop behaves more predictable under heavy load.
* Fix for sending wrong state/cookies with async crypto  [David]
* Do not sent duplicate status changes to the stats daemon [David]
* Disable the warning if DH operations take more than 200ms [David]
* Use K_SADB_EXT_MAX, not SADB_EXT_MAX in eroute.c [Carsten Schlote]
* Fix for fmt_common_shell_out() using long PLUTO* vars [Carsten Schlote]
* Bugtracker bugs fixed:
    #1015: no building of ipsec.conf.5 manpage on 2.6.20dr2
    #1018: ipsec eroute --clear segfaults (KLIPS) [Carsten Schlote]
    #1004: [partial fix] ipsec/l2tp server behind NAT/port forward broken [Paul]
    #1014: compress=yes on initiator does not propose IPcomp [David]
    #0982: kernel panic with compression=yes  [Florian Westphal]
    #0949: not able to set nhelpers=0 [Shingo Yamawaki]

Announce mailing list
Announce at openswan.org

More information about the Users mailing list